Resolution

The following is a response to the current situation with the software security vulnerability dubbed Heartbleed:

The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation.

VMware has released product updates and patches for all affected products in this article.

Note: If you encounter an issue during the upgrade process, file a support request with VMware Technical Support and note the Knowledge Base article ID you are using in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).

By deploying vSphere 5.5 (and other relevant VMware products) on an isolated management network, the exposure to CVE-2014-0160 is reduced. Hosting vSphere components directly on the Internet is strongly discouraged. Virtual machines that are exposed to the Internet should be updated in case they are affected. For the latter, refer to the instructions by the operating system provider.

Affected VMware products

These VMware products that ship with OpenSSL 1.0.1 have been confirmed to be affected:

Note: The version of the Client Integration Plug-In (CIP) used with vSphere Web Client 5.5 is affected (see above). The Client Integration Plug-In is part of of vCenter Server 5.5 and of vCenter Server Appliance 5.5. To remediate CIP 5.5, you must update vCenter Server 5.5 or vCenter Server Appliance 5.5 first. See VMware Security Advisory VMSA-2014-0004 to learn about the CIP 5.5 update.

Note:The version of the Client Integration Plug-In (CIP) used with vCloud Director 5.5 is affected (see above). To remediate CIP 5.5, you must update vCloud Director 5.5 first. See VMware Security Advisory VMSA-2014-0004 to learn about the CIP 5.5 update.

VMware vCloud Networking and Security (vCNS) 5.1.2 and below

VMware vCloud Networking and Security (vCNS) 5.5.0 and 5.5.0a

VMware vFabric Data Director

VMware vFabric Postgres

VMware View 4.x

VMware Virsto

VMware vSphere Client

VMware vSphere Data Protection (vDP)

VMware vSphere Management Assistant (vMA)

VMware vSphere Replication

VMware vSphere Storage Appliance (VSA)

Affected Partner Products

This product from a VMware partner ships with OpenSSL 1.0.1 and was found to be affected: